I couldn’t sleep last night because I was thinking (again) about how to kill passwords but ultimately ended up doing a small amount of research that lead me to be believe that solving the problem with passwords isn’t a technical one, but more of a fundamental problem encompassing identity and trust.
I caught myself thinking that a decentralised identity built on the blockchain could solve this issue and so could a public/private key-based solution. But ultimately neither of those provide a solution to the problem of being able to reliably authenticate a known identity AND provide an easy way for the identity to be reestablished if the identity is lost or stolen.
In an article titled “5 Identity Problems Blockchain Doesn’t Solve”, Blake Hall - CEO of id.me points out that “digital identity and authentication are, for the most part, layers and steps that precede the blockchain application layer…"
To replace passwords with a public-private key pair would be naive to the fact that decentralised trust models do not solve the problem of how to recover identity once it has been lost or reliably and demonstrably be associated with an actual person or entity.
With a centralised approach, the trust model is “boot-strapped” via email which is assumed to be a secure channel to the user associated. The user has delegated trust to their email provider such that their email account can be trusted to receive password reset URLs, account confirmation emails, not to mention potentially sensitive information pertaining to the user’s account, their finances and other things.
In a decentralised world, their is currently no de-facto mechanism by which to “boot-strap” the trust model, by the nature of today’s centralised main stream culture.
If a hypothetical app, let’s call it Tritter, wants to authenticate a new user who uses some hypothetical decentralised method of identity, Tritter from the get-go has to trust the source of authentication. But if the source of truth for this identity is decentralised, there is nothing to stop someone else from having the same identity. There’s no way to prove for sure that the requesting user is not a bad actor that has gained access to the identity.
This is not true of a centralised identity, because the trust is not placed on the requesting user but on some system that is assumed to be trustworthy which nowadays will range from email providers to social networks.
The centralised identity itself will be authenticated through some other method which is assumed to be trustworthy, such as a password login or an email account.
Anyway, none of this is new - the identity problem has raged on for years. Interestingly there is a newly published working draft from the W3C on “Decentralized Identifiers (DIDs)" just yesterday: https://w3c.github.io/did-core/ which looks interesting.
DIDs appear to be a standard for decentralised identity concerned with the technicalities of such a system. It is unclear how wide-spread the adoption of DID actually is.
This sentence from the abstract strikes me as particularly interesting: ”…the design enables the controller of a DID to prove control over it without requiring permission from any other party."
The use-cases section are still a draft, but describe a tonne of really interesting use-cases for DIDs. In short, they describe a myriad of ways where a decentralised identity can improve existing trust models, improving UX in fairly concrete ways.
Among the DID docs, Verifiable Credential (VC) issuers are mentioned and are described as authorities that issue DID credentials based on verified subject attributes (e.g. national ID or age or basically any fact that can be verified).
One such VC issuer, Onfido (which coincidentally sits on another floor of the building I currently work for) is actually using what seems to be a proprietary Self-Sovereign Identity (SSI) created by Sovrin to allow users to port digitally verified identities across multiple companies. They did so in a trial with the FCA last year. In this instance, Onfido is known as a “trust anchor” that provides identity verification capabilities that are user-friendly, for example taking selfies or short videos and using them in the identity verification process.
It’s unclear whether Sovrin DIDs are based on the W3 spec for DIDs, although there isn’t any mention in their docs.
Anyway, back to our example: in the future, “Tritter” could trust any number of VC issuers to verify that a given decentralised identity belongs to the claimant - connecting the real person or organisation with the decentralised identity.
This is fairly similar to how TLS certificate authorities work, but instead of assuring a secure connection to a specific website, Onfido assures the trustworthiness of an independent claim on identity. Note that CAs are centralised and built on reputations of organisations, such as Symantec, GeoTrust and the famous open source CA, Let’s Encrypt: see this article from WordPress that has a comparison of these.
Onfido’s proposition seems to be to become one of the first CAs of decentralised identity.
Meanwhile, Evernym are trying to productise portable credentials and they have a webinar this week that looks pretty interesting. I might try to register…
Anyway, this was a bit of a random surface-glancing look into a small slice of the SSI world. I’m definitely keen to look into this a bit more, and maybe consider whether Urbit is solving this particular issue of verifiable decentralised identification.